Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: [Wireshark-dev] 答复: how recognise a udp packet data part is sip packet?

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: 董明 <bright.dong@xxxxxxxxx>
Date: Tue, 2 Jun 2009 21:04:09 +0800

Hi,chuangde:

 

Let’s read the code together:

 

 packet-udp.c:

decode_udp_ports(tvbuff_t *tvb, int offset, packet_info *pinfo,

         proto_tree *tree, int uh_sport, int uh_dport, int uh_ulen)

{

/*First, try to dissector udp data by udp-port*/

  if (low_port != 0 &&

      dissector_try_port(udp_dissector_table, low_port, next_tvb, pinfo, tree))

    return;

  if (high_port != 0 &&

      dissector_try_port(udp_dissector_table, high_port, next_tvb, pinfo, tree))

    return;

 

/*then ,we try heuristic subdissector table,SIP is in the heuristic dissector list of udp, so we have a try */

  if (!try_heuristic_first) {

    /* do lookup with the heuristic subdissector table */

    if (dissector_try_heuristic(heur_subdissector_list, next_tvb, pinfo, tree))

      return;

  }

/* give up finally, data handle*/

  call_dissector(data_handle,next_tvb, pinfo, tree);

}

 

packet-sip.c: 

void proto_reg_handoff_sip(void)

{

/*register udp-sip port*/

dissector_add("udp.port", UDP_PORT_SIP, sip_handle);

 

/* Add a sub-dissector to a heuristic dissector list of udp */

heur_dissector_add("udp", dissect_sip_heur, proto_sip);

 

}

 

 

Good luck

Bright

 

发件人: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] 代表 zhangchuangde@xxxxxxxxxxxxxxx
发送时间: 2009年6月2日 17:45
收件人: wireshark-dev@xxxxxxxxxxxxx
主题: [Wireshark-dev] how recognise a udp packet data part is sip packet?

 

 

hi,
 
as the define in packet-sip.c

#define TCP_PORT_SIP 5060
#define UDP_PORT_SIP 5060
#define TLS_PORT_SIP 5061

 

I know when a tcp/udp/tls packet's port is 5060/5061, the protocol analyzer will dissect it into sip protocol.

 

however, as the first packet in the accessory, its src port is 6304 and dst port is 6090, and this packet is also dissected into sip protocol.how wireshark know this packet is a sip packet?

 

can you tell me how and why? thanks a lot!


Best Regards,

 

Ade Zhang



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4117 (20090530) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

  • References:
    • [Wireshark-dev] how recognise a udp packet data part is sip packet?
      • From: zhangchuangde
  • Prev by Date: [Wireshark-dev] dissect proprietary hdlc based protocol from SLL
  • Next by Date: [Wireshark-dev] 答复: Regarding Interface
  • Previous by thread: [Wireshark-dev] how recognise a udp packet data part is sip packet?
  • Next by thread: Re: [Wireshark-dev] how recognise a udp packet data part is sip packet?
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation